Closed robertbastian closed 2 days ago
Does it really need to be filed for both crates? If one pulls in the other, that’s sufficient.
It's possible (but unlikely) to be in a setup of zerovec-derive@0.10.0
and zerovec@0.10.4
. This is a vulnerable combination.
Edit: zerovec
only pulls in zerovec-derive
with the derive
feature, that could be off with a client manually importing zerovec-derive
.
@tarcieri the vulns are present in both crates independently: the derive macro doesn't enforce C, packed
, and the manual impls in the zerovec crate also don't have C, packed
.
cc @Manishearth